Managing the Risk of Fraud Using ISO 31000 Paul J. Sobel Vice President/ Chief Audit Executive Georgia-Pacific LLC

Outline • Overview of ISO 31000 – New Global Risk Management Standard • Framework for Fraud Risk Management • Fraud Risk Assessment • Treating, Monitoring & Reporting on Fraud Risk • Internal Audit’s Role in Fraud Risk Management

[2] 2

ISO 31000 - A Brief History • Australia/New Zealand Standard #4360 (1995, 1999, 2004) • COSO ERM (2004) • ISO 31000: Risk Management – Principles and Guidelines (2009) – ISO Guide 73: Risk Management – Vocabulary – ISO 31010: Risk Management – Risk Assessment Techniques [3] 3

The Flow of Risk Management The principles provide the foundation and describe the qualities of effective risk management in an organization

The framework manages the overall process and its full integration into the organization

The process for managing risk focuses on individual or groups of risks, their identification, analysis, evaluation and treatment

Monitoring & review, continuous improvement and communication occur throughout

[4] 4

ISO 31000 – An Overview • Creates value Mandate and commitment (4.2)

Establishing the context (5.3)

• Part of decision making

Risk assessment (5.4)

Design of framework for managing risk (4.3)

• Systematic, structured and timely • Based on the best available information • Tailored • Takes human and cultural factors into account

Continual improvement of the framework (4.6)

Implementing risk management (4.4)

• Transparent and inclusive • Dynamic, iterative and responsive to change • Facilitates continual improvement and enhancement of the organization

Monitoring and review of the framework (4.5)

Communication and consultation (5.2)

• Explicitly addresses uncertainty

Risk identification(5.4.2)

Risk analysis(5.4.3)

Risk evaluation(5.4.4)

Risk treatment(5.5)

Principles (Clause 3)

Framework (Clause 4)

[5]

Process (Clause 5)

Monitoring and review (5.6)

• Integral part of organizational processes

Linkage of Principles to Fraud ISO 31000 Principle

Applicability to Fraud

Creates value

Protects value

Integral part of processes

Embedded in processes

Part of decision making

Influences decisions

Addresses uncertainty

Fraught with uncertainty

Systematic, structured & timely

Systematic, structured & timely

Best available information

Predictive/detective information

Tailored

Company specific

Human & cultural factors

Culturally dependent

Transparent & inclusive

Must include everybody

Dynamic; responsive to change

Keep up with the fraudsters

Facilitates continual improvement

Requires continual improvement [6] 6

Fraud Framework Commitment from the top; must reflect the tone at the top

Mandate and commitment (4.2)

Must understand business, have policy, reporting, accountability & implications

Design of framework for managing risk (4.3)

Continual improvement of the framework (4.6)

Goes beyond risk assessment (process to follow)

Implementing risk management (4.4)

Fraudsters evolve; so must the fraud program Monitoring and review of the framework (4.5)

Goes beyond detecting fraud; includes cultural changes, etc.

[7] 7

Determine Fraud Risk Criteria • Support the success and operation of the organization. • Help define the direction for fraud risk management. • Should be established by the board and senior management (i.e., top-down). • Consider real-life context affecting longterm consequences.

[8] 8

Fraud Risk Capacity • Organization’s total capability to absorb outcomes from fraud events. • May even define the boundaries for survival. • Could be individual fraud event outcomes or aggregate outcomes of multiple events. • Common examples: – Judgments from litigation – Violations of laws and regulation – Damage to reputation

[9] 9

Fraud Risk Attitude • Risk Management Philosophy (COSO) – “Set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day-to-day activities.” • Risk Attitude (ISO 31000) – “Organization’s approach to assess and eventually pursue, retain, take or turn away from risk.” • Think of it as a spectrum reflecting an organization’s propensity to take on risk – Risk Averse

Risk Accepting [10] 10

Fraud Risk Appetite • Definition – Type and total amount of risk an organization is willing to take on in pursuit of its business objectives. – You can’t necessarily avoid all fraud risk; some risk must be accepted in pursuit of strategic objectives. – Should consider fraud risk capacity and reflect the organization’s fraud risk attitude. – Ultimately, it’s about balancing success and survival.

[11] 11

Fraud Risk Appetite Examples • We will strive for 100% compliance with laws and regulations. • We will seek new markets for our products, but only in countries with a Global Integrity Index of “moderate” or higher. • We will not do business with contractors who refuse to sign our Code of Ethics acknowledgement. • We will not tolerate any actions of fraud or misappropriation by any employee, regardless of position. • There will be no retaliation against any whistleblowers. [12] 12

Fraud Risk Tolerance • COSO Definition – “Acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.” • ISO 31000 Definition – “Organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives.” • My Definition – Risk taking boundaries within which managers and employees are expected to perform in pursuit of the organization’s strategic, operations, reporting and compliance objectives.

[13] 13

Fraud Risk Tolerance • Boundaries are expressed as the ceiling and/or floor related to key risk outcomes and effects, for example: – – – –

Financial results (current or future) Reputation (real or perceived damage) Health & safety (injuries, lost time) Environmental (exceedences, spills, remediation costs) – Compliance (fines, penalties, sanctions) – Customer satisfaction (ratings, market share) – Warranty defects (liability, cost to repair)

[14] 14

Fraud Risk Tolerance Examples • In fraud cases where we can seek restitution, we will only do so if the costs are not more than 150% of the expected restitution amount. • Internal controls should be designed to ensure duties are segregated to prevent any type of fraud without collusion. • Monitoring efforts should be designed with a focus on detecting fraud events totaling $10,000 or more. • Taking company assets for personal use is considered fraud if the value of such assets exceeds $25. • There should be no frauds detected by our External Auditor. [15] 15

Fraud Risk Management Process • Establishing the Context • Fraud Risk Assessment – Fraud risk identification – Fraud risk analysis – Fraud risk evaluation

• Fraud Risk Treatment • Fraud Monitoring and Reporting

[16] 16

Fraud Risk Identification • What examples of fraud have occurred in the past? – Inside the company – To others in our industry

• What examples of fraud haven’t occurred, but could have? • What are the different outcomes (consequences) from fraud events?

[17] 17

Fraud Risk Analysis • Where are these fraud events most likely to occur? Why? • What are the different consequences of different types of fraud events? • What conditions increase the likelihood of fraud events occurring? • Are there interrelationships between events that could cause one to make another one worse? [18] 18

Fraud Risk Evaluation • What is the impact of possible outcomes from fraud events? • How likely is it that fraud outcomes will be realized? • What other factors may influence how we prioritize fraud risks? • What does our prioritized risk profile look like? [19] 19

Low

• Tends to be single point outcomes as opposed to range of outcomes

Impact

• Traditional focus has been primarily on Impact and Likelihood

Medium

High

Fraud Risk Assessment Criteria

• A good foundation, but is it robust enough in today’s business world?

Remote

Possible

Probable

Likelihood

[20] 20

What About Other Criteria? • Risk velocity

• Interdependencies

• Risk tolerance

• Frequency of occurrence

• Readiness/ Preparedness

• Volatility

• Capacity

• Maturity

• Controllability

• Degree of confidence

• Monitorability

[21] 21

How Do You Make Sense of Multiple Criteria? • Mapping Multiple Dimensions Won’t Work!

[22] 22

A Possible Approach 1. Start with traditional impact/likelihood

assessment. 2. Determine which Other Risk Assessment

Factors are relevant and meaningful. 3. Assess whether those factors will

significantly, moderately or negligibly affect: • How the risk is managed • How the risk is prioritized relative to other risks • How the risk is monitored and reported [23] 23

One Example Risk

Impact

Likelihood

Factor A

Factor B

Priority

AAA

High

High

1

BBB

High

Medium

2

CCC

Medium

High

3

DDD

High

Low

4

EEE

Medium

Medium

5

FFF

Low

High

6

GGG

Medium

Low

7

HHH

Low

Medium

8

III

Low

Low

9

[24] 24

One Example Risk

Impact

Likelihood

Factor A

Factor B

Priority

AAA

High

High

1

BBB

High

Medium

3

CCC

Medium

High

5

DDD

High

Low

2

EEE

Medium

Medium

4

FFF

Low

High

6

GGG

Medium

Low

8

HHH

Low

Medium

7

III

Low

Low

9

[25] 25

Treating Fraud Risk • Focus on highest priority risks first. • Determine possible options for treatment. – Avoid, transfer, reduce or accept

• Decide on best treatment option. – Should take into consideration fraud risk attitude and tolerance

[26] 26

Monitoring Fraud Risk • Visible monitoring can be an effective deterrent to fraud. • Must consider costs/benefits of monitoring to prevent fraud vs. monitoring to detect fraud. • There are different things that can be monitored: – Fraud events – Effectiveness of the fraud system – Changes in the business context [27] 27

Reporting Fraud Risk • Educate the Board on the fraud risk profile and means to manage the risks. • Determine escalation protocol for various types of fraud events. • Consider reporting of changes in business context and impact on fraud risk profile.

[28] 28

Internal Audit’s Role • Help build the framework for fraud risk management. • Facilitate fraud risk assessments. • Provide assurance and advice on the effectiveness of: – Fraud risk treatments; – Fraud monitoring activities; – Fraud reporting.

• Providing fraud training and education. [29] 29

Summary • Just as the business world changes and evolves, so does fraud. • It is important to have some structure to a fraud risk management program. • Risk management techniques found in ISO 31000 can provide a good road map for fraud risk management. • Internal auditors can play an important role in the fraud risk system. [30] 30

Questions?

[email protected] [31]